The cooling wars of cyber space in a remote era

Hyperbolic language used to describe the
potential consequences of cyber attacks has contributed to the ‘securitisation’ of the debate around cyber security
issues. Increased transparency and accurate
information is essential.

Flickr/Kevin Marks. Some rights reserved.Cyber space is a confusing place. As
current discussions highlight the possibility of ‘major’ cyber attacks causing a significant loss
of life or large scale destruction, it is becoming harder to determine whether
these claims are hype or are in fact justified fears. A new report, published this week by VERTIC,
commissioned by the Remote Control project, offers some clarity on the subject by
assessing the major issues in cyber security today to help better inform the
debate and assess what threats and challenges cyber issues really do pose to
international peace and security.

How
much of a threat are cyber attacks?

Cyber attacks have been identified as one
of the greatest threats facing developed nations. Indeed, the US is spending $26 billion over the next five years on
cyber operations and building a 6,000-strong cyber force by 2016 and the UK has
earmarked £650
million over four year to combat cyber threats. This level of investment
suggests that states view issues of cyber security as a question of national
security. But how much of a threat do cyber attacks pose to national security
and how much damage have they caused?

There is a need for caution when
assessing the risk posed to national security by cyber threats. Indeed,
although states are heavily investing in cyber security, to date, the majority
of cyber incidents that have made the news have not directly impacted on a
state’s sovereignty, or threatened a state’s survival. For that to happen, an
attack would have to significantly affect a government’s ability to control its
territory, inflict damage to critical infrastructure or, potentially, cause
mass casualties.

Nevertheless, some notable instances of
cyber attacks have had a significant impact on international relations over the
past decades. These are ‘Stuxnet’, the cyber attack targeting Iranian
uranium centrifuges (allegedly launched by a combined US-Israeli operation),
the ‘Nashi’ attacks on the Estonian
government and private sector websites and web-based services, and the many
instances of cyber-espionage that form the so-called ‘Cool War’ currently taking place between China and
the US. Furthermore, cyber attacks have also been used as instruments of war in
conjunction with conventional military operations, for example during the
Russo-Georgian conflict in 2008 and most significantly during the Israeli air
raid against a nuclear reactor facility in Syria in 2007.

However, to date no attack has
led to largescale destruction or fatality, suggesting that the potential for
this is unlikely. This is
due to the great amounts of technological expertise, material resources and
target intelligence required to carry out such an attack. These resources are
currently only in the hands of states, that might hesitate in using cyber
attacks in such a way, when other means are available. This could of course
change, especially if different political actors acquired the necessary means.

What
should we be concerned about?

This is not to say we have nothing to be
concerned about. Although a largescale cyber attack that inflicts mass
casualties is unlikely to occur in the near future, cyber activities can still
affect civilian lives in other ways. The hyperbolic language used to describe
the potential consequences of cyber attacks, combined with a lack of reliable,
concrete information on the real risks posed by cyber threats has contributed
to the ‘securitisation’ of the debate around cyber security
issues. It is feared that this process will lead to possible dangers being
overestimated, and vulnerabilities cast as national security threats of
immediate concern. States’ reactions to these perceived risks may cause
negative implications on both citizens and international peace and security.

Already we are seeing a potential
consequence of securitization as governments turn to surveillance as a
preventative measure against cyber attacks. In addition, the difficulty of
attributing cyber attacks, as well as the widespread fear that other countries
will constantly engage in cyber espionage, has led some to claim that the
‘cyber realm’ favours the attacker. This, in turn, may lead states to engage in
a ‘cyber arms race’, as well as foster a ‘Cool War’ dynamic of continuous attrition and
escalation between states. This erosion of trust between states, as well as the
diminishing of civil liberties, are two serious concerns with regards to the
militarization of cyber space.

Cyber attacks also pose serious
transparency and accountability issues due to the above-mentioned technical
complexities of cyber attack attributions, as well as the ambiguous
relationship between state and non-state actors (in the ‘Nashi’ attack in Estonia for example, the
relation between the youth group responsible for the attack and the Russian
government remains an ambiguous one).
The lack of legal clarity in this area is also worrying, meaning
attackers will often not face consequences for their actions.

The only existing international
legislation in the field - the Budapest Convention - solely addresses
cybercrime and no further issues (such as military use of cyberspace). The
Convention also does not have enough support to provide enforcement of its
objectives, has no monitoring regime and has not been signed by Russia or
China. Furthermore, an attempt to set out ‘rules’ on the legal implications of cyber war -
in The Tallinn Manual - found that the complexities of cyber conflict means
there are many instances that do not easily adhere to current legislative
standards. The speed of technology further hampers drafting of law and
international legislation.

Growth
of remote control warfare

The rise in cyber activities cannot be examined
in isolation. Its growth is part of a broader trend of warfare increasingly
being conducted indirectly, or at a distance. This global trend towards ‘remote control’ warfare has seen an increasing use of drones,
special forces, private military and security companies as well as cyber
activities and intelligence and surveillance methods by governments in the last
decade.

Indeed the global export
market for drones is predicted to grow nearly
three-fold over the next decade, and a broader range of states are now using
drones, including France, Britain, Germany, Italy, Russia, Algeria and Iran.
The US has more than doubled the size of its Special Operations Command since
2001, and private military and security companies are playing an increasingly
important role in both Afghanistan and Iraq, with over 5, 000 contractors
employed in Iraq this year.

The idea of countering threats at a
distance, without the use of large military forces, is a relatively attractive
proposition as the general public is increasingly hostile to ‘boots on the ground’. However, the concerns highlighted in
this latest report with regards to cyber activities are echoed in all ‘remote’ warfare methods as their covert nature
means there are serious transparency and accountability vacuums.

Esther
Kersley is the Research and Communications Officer on the Remote
Control project. The project, hosted by Oxford
Research Group, examines changes in military engagement, in particular the use
of drones, special forces, private military and security companies, cyber
warfare and surveillance. She also edits the Remote Warfare Blog, which is currently
running a series on remote warfare and the ‘war on drugs’. Follow the project
on Twitter: @RemoteCtrl

Katherine
Tajer is as a Research Assistant for the
Verification Research, Training and Information Centre (VERTIC)

Alberto
Muti is as a Research Assistant for the
Verification Research, Training and Information Centre (VERTIC)

This article is published under a Creative Commons Attribution-NonCommercial 3.0 licence.
If you have any queries about republishing please contact us.
Please check individual images for licensing details.